Shell Command MCP Server

.github/workflows/docker-build.yaml
name: Build and Push Docker Image

on:
  release:
    types: [published]
  push:
    branches:
      - main
  workflow_dispatch:
    inputs:
      tag:
        description: 'Git tag to build from'
        required: false
        default: ''

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}

jobs:
  build-and-push:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      security-events: write

    steps:
      - name: Get tag to build
        id: get-tag
        run: |
          if [ "${{ github.event_name }}" = "release" ]; then
            echo "tag=${{ github.event.release.tag_name }}"
          elif [ -n "${{ github.event.inputs.tag }}" ]; then
            echo "tag=${{ github.event.inputs.tag }}"
          elif [ "${{ github.event_name }}" = "push" ] && [ "${{ github.ref }}" = "refs/heads/main" ]; then
            echo "tag=main"
          else
            # Get latest release tag if no tag is specified
            LATEST_TAG=$(curl -s https://api.github.com/repos/${{ github.repository }}/releases/latest | jq -r .tag_name)
            echo "tag=${LATEST_TAG}"
          fi  \
          | tee -a $GITHUB_OUTPUT

      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          ref: ${{ steps.get-tag.outputs.tag }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to container registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
            type=raw,value=${{ steps.get-tag.outputs.tag }}
            type=raw,value=latest,enable=${{ github.event_name == 'release' || steps.get-tag.outputs.tag == github.event.repository.default_branch }}

      - name: Build Docker image (for scanning)
        uses: docker/build-push-action@v5
        with:
          context: .
          push: false
          load: true
          tags: ${{ env.IMAGE_NAME }}:test
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Scan image with Dockle
        uses: erzz/dockle-action@v1
        with:
          image: ${{ env.IMAGE_NAME }}:test
          exit-code: 1
          failure-threshold: fatal
          report-format: sarif

      - name: Upload Dockle scan results
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: dockle-report.sarif
          category: dockle

      - name: Push Docker image
        uses: docker/build-push-action@v5
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max